govspeak 7.1.0 → 8.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d3ea39476d15515cff8cf40fa41951ed6d551a495e6f8a40415fdb4eb7752660
-  data.tar.gz: e084cd737b290c2254fd43796ea4c0a99b906790034a22f258d509a556a726a8
+  metadata.gz: 0b77227c0a115225f51dc35e8dc7e177212aae5b215400f4b0384bd99fdf04a2
+  data.tar.gz: dcca6a433304ceb7d1cf1281ac0d16e738e7e7fb3479551ec69c0fe2e2dfa2ad
 SHA512:
-  metadata.gz: c732aaee36be6d012574e52e6d7dc07a906a539f19e9e5d6f4bbf793a7936761fdc5f5c1e8cade26da7ed93830044017fea897ef7890a1d226796407166e372a
-  data.tar.gz: b7c8a84a1baa01b04483674f10708dd96467b343560dd3c1465de7a0846870ab7a99a6a63da892b48399e4d9cb30f7f18f28273d1a7ad85d433a8a9b79a49fac
+  metadata.gz: f8302fc09c9160bc5ea3d8cc33af663e106ba36287d10105272c03467e5aed41c5fb7f5e76da934f93c121b79687287f1c9edc92dab2aebca486c256cd4fa76f
+  data.tar.gz: fc0c093d411ccb309172828f8d21671d8e31bc7458a2285b1fb7a0ba22a63a598e27397b78e52af93e756eb52353e7c53ec1c2b11e16d0b42b6e26b5a981c613

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 8.0.0
+
+* BREAKING: HTML style attribute and style element, which were never supposed to be available, are forbidden. [#279](https://github.com/alphagov/govspeak/pull/279)
+
+## 7.1.1
+
+* Make image and attachment embedding syntax more consistent [#274](https://github.com/alphagov/govspeak/pull/274)
+
 ## 7.1.0
 
 * Drop support for Ruby 2.7 [#272](https://github.com/alphagov/govspeak/pull/272)

data/lib/govspeak/html_sanitizer.rb

@@ -17,31 +17,13 @@ class Govspeak::HtmlSanitizer
     end
   end
 
-  class TableCellTextAlignWhitelister
-    def call(sanitize_context)
-      return unless %w[td th].include?(sanitize_context[:node_name])
-
-      node = sanitize_context[:node]
-
-      # Kramdown uses text-align to allow table cells to be aligned
-      # http://kramdown.gettalong.org/quickref.html#tables
-      if invalid_style_attribute?(node["style"])
-        node.remove_attribute("style")
-      end
-    end
-
-    def invalid_style_attribute?(style)
-      style && !style.match(/^text-align:\s*(center|left|right)$/)
-    end
-  end
-
   def initialize(dirty_html, options = {})
     @dirty_html = dirty_html
     @allowed_image_hosts = options[:allowed_image_hosts]
   end
 
   def sanitize(allowed_elements: [])
-    transformers = [TableCellTextAlignWhitelister.new]
+    transformers = []
     if @allowed_image_hosts && @allowed_image_hosts.any?
       transformers << ImageSourceWhitelister.new(@allowed_image_hosts)
     end
@@ -60,21 +42,29 @@ class Govspeak::HtmlSanitizer
   end
 
   def sanitize_config(allowed_elements: [])
+    # We purposefully disable style elements which Sanitize::Config::RELAXED allows
+    elements = Sanitize::Config::RELAXED[:elements] - %w[style] +
+      %w[govspeak-embed-attachment govspeak-embed-attachment-link svg path].concat(allowed_elements)
+
     Sanitize::Config.merge(
       Sanitize::Config::RELAXED,
-      elements: Sanitize::Config::RELAXED[:elements] + %w[govspeak-embed-attachment govspeak-embed-attachment-link svg path].concat(allowed_elements),
+      elements: elements,
       attributes: {
-        :all => Sanitize::Config::RELAXED[:attributes][:all] + %w[role aria-label],
+        # We purposefully disable style attributes which Sanitize::Config::RELAXED allows
+        :all => Sanitize::Config::RELAXED[:attributes][:all] + %w[role aria-label] - %w[style],
         "a" => Sanitize::Config::RELAXED[:attributes]["a"] + [:data] + %w[draggable],
-        "svg" => Sanitize::Config::RELAXED[:attributes][:all] + %w[xmlns width height viewbox focusable],
-        "path" => Sanitize::Config::RELAXED[:attributes][:all] + %w[fill d],
+        "svg" => %w[xmlns width height viewbox focusable],
+        "path" => %w[fill d],
         "div" => [:data],
-        # @TODO  These style attributes can be removed once we've checked there
-        # isn't hardcoded HTML in documents that uses them
+        # The style attributes are permitted here just for the ones Kramdown for table alignment
+        # we replace them in a post processor.
         "th" => Sanitize::Config::RELAXED[:attributes]["th"] + %w[style],
         "td" => Sanitize::Config::RELAXED[:attributes]["td"] + %w[style],
         "govspeak-embed-attachment" => %w[content-id],
       },
+      # The only styling we permit is text-align on table cells (which is the CSS kramdown
+      # generates), we can therefore only allow this one CSS property
+      css: { properties: %w[text-align] },
     )
   end
 end

data/lib/govspeak/version.rb

@@ -1,3 +1,3 @@
 module Govspeak
-  VERSION = "7.1.0".freeze
+  VERSION = "8.0.0".freeze
 end

data/lib/govspeak.rb

@@ -424,14 +424,14 @@ module Govspeak
       renderer.render(contact: ContactPresenter.new(contact))
     end
 
-    extension("Image", /#{NEW_PARAGRAPH_LOOKBEHIND}\[Image:\s*(.*?)\s*\]/) do |image_id|
+    extension("Image", /^\[Image:\s*(.*?)\s*\]/) do |image_id|
       image = images.detect { |c| c.is_a?(Hash) && c[:id] == image_id }
       next "" unless image
 
       render_image(ImagePresenter.new(image))
     end
 
-    extension("Attachment", /#{NEW_PARAGRAPH_LOOKBEHIND}\[Attachment:\s*(.*?)\s*\]/) do |attachment_id|
+    extension("Attachment", /^\[Attachment:\s*(.*?)\s*\]/) do |attachment_id|
       next "" if attachments.none? { |a| a[:id] == attachment_id }
 
       %(<govspeak-embed-attachment id="#{attachment_id}"></govspeak-embed-attachment>)

data/test/govspeak_attachment_link_test.rb

@@ -35,4 +35,15 @@ class GovspeakAttachmentLinkTest < Minitest::Test
     assert(root.css("p").size, 0)
     assert_match(/Attachment Title\s*test/, root.text)
   end
+
+  test "allows spaces and special characters in the identifier" do
+    attachment = {
+      id: "This is the name of my &%$@€? attachment",
+      url: "http://example.com/attachment.pdf",
+      title: "Attachment Title",
+    }
+
+    rendered = render_govspeak("[AttachmentLink: This is the name of my &%$@€? attachment]", [attachment])
+    assert_match(/Attachment Title/, rendered)
+  end
 end

data/test/govspeak_attachment_test.rb

@@ -21,7 +21,19 @@ class GovspeakAttachmentTest < Minitest::Test
     assert_match(/Attachment Title/, rendered)
   end
 
-  test "only renders attachment when markdown extension starts on a line" do
+  test "allows spaces and special characters in the identifier" do
+    attachment = {
+      id: "This is the name of my &%$@€? attachment",
+      url: "http://example.com/attachment.pdf",
+      title: "Attachment Title",
+    }
+
+    rendered = render_govspeak("[Attachment: This is the name of my &%$@€? attachment]", [attachment])
+    assert_match(/<section class="gem-c-attachment/, rendered)
+    assert_match(/Attachment Title/, rendered)
+  end
+
+  test "only renders attachment when markdown extension starts on a new line" do
     attachment = {
       id: "attachment.pdf",
       url: "http://example.com/attachment.pdf",
@@ -34,5 +46,10 @@ class GovspeakAttachmentTest < Minitest::Test
     rendered = render_govspeak("[Attachment:attachment.pdf] some text", [attachment])
     assert_match(/<section class="gem-c-attachment/, rendered)
     assert_match(/<p>some text<\/p>/, rendered)
+
+    rendered = render_govspeak("some text\n[Attachment:attachment.pdf]\nsome more text", [attachment])
+    assert_match(/<p>some text<\/p>/, rendered)
+    assert_match(/<section class="gem-c-attachment/, rendered)
+    assert_match(/<p>some more text<\/p>/, rendered)
   end
 end

data/test/govspeak_images_bang_test.rb

@@ -80,4 +80,30 @@ class GovspeakImagesBangTest < Minitest::Test
       )
     end
   end
+
+  test "!!n syntax must start on a new line" do
+    given_govspeak "some text !!1", images: [Image.new] do
+      assert_html_output("<p>some text !!1</p>")
+    end
+
+    given_govspeak "!!1", images: [Image.new] do
+      assert_html_output(
+        "<figure class=\"image embedded\"><div class=\"img\"><img src=\"http://example.com/image.jpg\" alt=\"my alt\"></div></figure>",
+      )
+    end
+
+    given_govspeak "!!1 some text", images: [Image.new] do
+      assert_html_output(
+        "<figure class=\"image embedded\"><div class=\"img\"><img src=\"http://example.com/image.jpg\" alt=\"my alt\"></div></figure>\n<p>some text</p>",
+      )
+    end
+
+    given_govspeak "some text\n!!1\nsome more text", images: [Image.new] do
+      assert_html_output <<~HTML
+        <p>some text</p>
+        <figure class="image embedded"><div class="img"><img src="http://example.com/image.jpg" alt="my alt"></div></figure>
+        <p>some more text</p>
+      HTML
+    end
+  end
 end

data/test/govspeak_images_test.rb

@@ -72,6 +72,15 @@ class GovspeakImagesTest < Minitest::Test
     end
   end
 
+  test "allows spaces and special characters in the identifier" do
+    image = build_image(id: "This is the name of my &%$@€? image")
+    given_govspeak "[Image: This is the name of my &%$@€? image]", images: [image] do
+      assert_html_output(
+        "<figure class=\"image embedded\"><div class=\"img\"><img src=\"http://example.com/image.jpg\" alt=\"my alt\"></div></figure>",
+      )
+    end
+  end
+
   test "Image is not inserted when it does not start on a new line" do
     given_govspeak "some text [Image:image-id]", images: [build_image] do
       assert_html_output("<p>some text [Image:image-id]</p>")
@@ -88,5 +97,13 @@ class GovspeakImagesTest < Minitest::Test
         "<figure class=\"image embedded\"><div class=\"img\"><img src=\"http://example.com/image.jpg\" alt=\"my alt\"></div></figure>\n<p>some text</p>",
       )
     end
+
+    given_govspeak "some text\n[Image:image-id]\nsome more text", images: [build_image] do
+      assert_html_output <<~HTML
+        <p>some text</p>
+        <figure class="image embedded"><div class="img"><img src="http://example.com/image.jpg" alt="my alt"></div></figure>
+        <p>some more text</p>
+      HTML
+    end
   end
 end

data/test/{govspeak_table_with_headers_test.rb → govspeak_tables_test.rb}

@@ -1,7 +1,7 @@
 require "test_helper"
 
-class GovspeakTableWithHeadersTest < Minitest::Test
-  def expected_outcome
+class GovspeakTablesTest < Minitest::Test
+  def expected_outcome_for_headers
     %(
 <table>
   <thead>
@@ -248,30 +248,44 @@ class GovspeakTableWithHeadersTest < Minitest::Test
   end
 
   test "Cells with |# are headers" do
-    assert_equal document_body_with_hashes_for_all_headers.to_html, expected_outcome
+    assert_equal expected_outcome_for_headers, document_body_with_hashes_for_all_headers.to_html
   end
 
   test "Cells outside of thead with |# are th; thead still only contains th" do
-    assert_equal document_body_with_hashes_for_row_headers.to_html, expected_outcome
+    assert_equal expected_outcome_for_headers, document_body_with_hashes_for_row_headers.to_html
   end
 
   test "Cells are given classes to indicate alignment" do
-    assert_equal document_body_with_alignments.to_html, expected_outcome_for_table_with_alignments
+    assert_equal expected_outcome_for_table_with_alignments, document_body_with_alignments.to_html
+  end
+
+  test "Invalid alignment properties are dropped from cells" do
+    html = %(<table><tbody><tr><td style="text-align: middle">middle</td></tr></tbody></table>)
+    expected = "<table><tbody><tr><td>middle</td></tr></tbody></table>\n"
+
+    assert_equal expected, Govspeak::Document.new(html).to_html
+  end
+
+  test "Styles other than text-align are ignored on a table cell" do
+    html = %(<table><tbody><tr><td style="text-align: center; width: 100px;">middle</td></tr></tbody></table>)
+    expected = %(<table><tbody><tr><td class="cell-text-center">middle</td></tr></tbody></table>\n)
+
+    assert_equal expected, Govspeak::Document.new(html).to_html
   end
 
   test "Table headers with a scope of row are only in the first column of the table" do
-    assert_equal document_body_with_table_headers_in_the_wrong_place.to_html, expected_outcome_for_table_headers_in_the_wrong_place
+    assert_equal expected_outcome_for_table_headers_in_the_wrong_place, document_body_with_table_headers_in_the_wrong_place.to_html
   end
 
   test "Table headers with a scope of row can have embedded links" do
-    assert_equal document_body_with_table_headers_containing_links.to_html, expected_outcome_for_table_headers_containing_links
+    assert_equal expected_outcome_for_table_headers_containing_links, document_body_with_table_headers_containing_links.to_html
   end
 
   test "Table headers are not blank" do
-    assert_equal document_body_with_blank_table_headers.to_html, expected_outcome_for_table_with_blank_table_headers
+    assert_equal expected_outcome_for_table_with_blank_table_headers, document_body_with_blank_table_headers.to_html
   end
 
   test "Table header superscript should parse" do
-    assert_equal document_body_with_table_headers_containing_superscript.to_html, expected_outcome_for_table_with_table_headers_containing_superscript
+    assert_equal expected_outcome_for_table_with_table_headers_containing_superscript, document_body_with_table_headers_containing_superscript.to_html, expected_outcome_for_table_with_table_headers_containing_superscript
   end
 end

data/test/html_sanitizer_test.rb

@@ -17,6 +17,16 @@ class HtmlSanitizerTest < Minitest::Test
     assert_equal "<a href=\"/\">Link</a>", Govspeak::HtmlSanitizer.new(html).sanitize
   end
 
+  test "disallow style attributes" do
+    html = '<a href="/" style="font-weight:bold">Link</a>'
+    assert_equal '<a href="/">Link</a>', Govspeak::HtmlSanitizer.new(html).sanitize
+  end
+
+  test "disallow style elements" do
+    html = "<style>h1 { color: pink; }</style><h1>Hi</h1>"
+    assert_equal "<h1>Hi</h1>", Govspeak::HtmlSanitizer.new(html).sanitize
+  end
+
   test "allow non-JS HTML content" do
     html = "<a href='foo'>"
     assert_equal "<a href=\"foo\"></a>", Govspeak::HtmlSanitizer.new(html).sanitize
@@ -79,16 +89,16 @@ class HtmlSanitizerTest < Minitest::Test
     assert_equal "<table><tbody><tr><th>thing</th><td>thing</td></tr></tbody></table>", Govspeak::HtmlSanitizer.new(html).sanitize
   end
 
-  test "allows valid text-align properties on the style attribute for table cells and table headings" do
-    %w[left right center].each do |alignment|
-      html = "<table><thead><tr><th style=\"text-align: #{alignment}\">thing</th></tr></thead><tbody><tr><td style=\"text-align: #{alignment}\">thing</td></tr></tbody></table>"
-      assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
-    end
+  test "allows text-align properties on the style attribute for table cells and table headings" do
+    html = "<table><thead><tr><th style=\"text-align: right\">thing</th></tr></thead><tbody><tr><td style=\"text-align: center\">thing</td></tr></tbody></table>"
+    assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
+
+    input = "<table><thead><tr><th style=\"text-align: left;width: 100px;\">thing</th></tr></thead><tbody><tr><td style=\"text-align: center;background-color: blue;\">thing</td></tr></tbody></table>"
+    expected = "<table><thead><tr><th style=\"text-align: left;\">thing</th></tr></thead><tbody><tr><td style=\"text-align: center;\">thing</td></tr></tbody></table>"
+    assert_equal expected, Govspeak::HtmlSanitizer.new(input).sanitize
 
     [
       "width: 10000px",
-      "text-align: middle",
-      "text-align: left; width: 10px",
       "background-image: url(javascript:alert('XSS'))",
       "expression(alert('XSS'));",
     ].each do |style|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govspeak
 version: !ruby/object:Gem::Version
-  version: 7.1.0
+  version: 8.0.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-03-28 00:00:00.000000000 Z
+date: 2023-07-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionview
@@ -190,14 +190,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.10.0
+        version: 4.11.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.10.0
+        version: 4.11.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -302,7 +302,7 @@ files:
 - test/govspeak_link_extractor_test.rb
 - test/govspeak_link_test.rb
 - test/govspeak_structured_headers_test.rb
-- test/govspeak_table_with_headers_test.rb
+- test/govspeak_tables_test.rb
 - test/govspeak_test.rb
 - test/govspeak_test_helper.rb
 - test/html_sanitizer_test.rb
@@ -327,7 +327,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.15
 signing_key: 
 specification_version: 4
 summary: Markup language for single domain
@@ -346,7 +346,7 @@ test_files:
 - test/govspeak_link_extractor_test.rb
 - test/govspeak_link_test.rb
 - test/govspeak_structured_headers_test.rb
-- test/govspeak_table_with_headers_test.rb
+- test/govspeak_tables_test.rb
 - test/govspeak_test.rb
 - test/govspeak_test_helper.rb
 - test/html_sanitizer_test.rb